October 6, 2016 at 3:19 pm ET
The Federal Communications Commission will vote on new privacy rules on Oct. 27 that would require internet service providers to receive explicit consent from users before using web browsing and app usage history, along with other “sensitive” data.
To become finalized, the rules would need three of the five FCC commissioners to approve it. That’s a likely scenario, given that three of them are Democrats who tend to favor privacy protections, but it isn’t guaranteed.
It is also possible that the rules being circulated among commissioners now will change before the scheduled vote.
The new rules mark a slight break from the Federal Trade Commission’s existing framework for policing the privacy practices of internet companies and broadband providers. The FCC rules separate data into two categories, with requirements that companies seek consent before using “sensitive information” such as financial or health data. Other types of data are subject to a less stringent standard.
The FCC’s rule defines “sensitive information” more broadly than the FTC does, despite the wishes of the private sector to keep the two regulatory structures as alike as possible.
“The bottom line is that the information you share with your broadband provider is yours,” FCC Chairman Tom Wheeler said in a Thursday blog post announcing the rules. “With the FCC’s new privacy protections, you will have the right to determine how it’s used.”
Under this new framework, the FTC would continue to police the privacy policies of “edge providers” such as Facebook Inc. and Amazon.com Inc. The FCC would pick up the enforcement of privacy policies for data held by internet service providers such as AT&T Inc. and Verizon Communications Inc.
That would mean the data harbored by apps or websites would be subject to a slightly less strenuous standard under the FTC. The FTC’s definition of “sensitive” data includes Social Security numbers, financial data, health data, geolocation data and children’s data. The FCC has added browsing and app behavior to that list.
Wheeler argues that the new rules extend the agency’s decades-long responsibility — to protect consumers using telephones — to the internet. The FCC gave itself the legal authority to regulate internet service providers such as phone companies in its landmark 2015 net neutrality rules.
“FCC regulations limit how your phone company can repurpose and resell what it learns about your phone activity without your consent,” Wheeler wrote. “Similar rules don’t exist for broadband service today. That’s a gap that must be closed – consumers who use the network of the 21st century deserve similar protections.”
Since the FCC passed proposed the privacy rules in March, the broadband industry has pressed for the FCC to adopt in total the FTC’s framework on internet privacy.
While the FCC appeared to be adopting the FTC’s approach earlier this week, the final rules introduced Thursday substantially expand the FTC’s definition of sensitive data. That’s something that major companies such as AT&T, Verizon and Google Inc. are against.
USTelecom President Walter McCormick said in a statement that the group is “concerned that the FCC, which has no expertise with regard to determining the content of speech, is now attempting to redefine what consumers may regard as sensitive.”
USTelecom represents AT&T and Verizon, among other carriers.
The FCC says its rules are in line with the FTC’s approach with a special eye toward the role of ISPs in the internet marketplace. The commission shaped the definition of sensitive information for ISPs by looking at the FTC’s standard “in the particular context of the relationship between the ISP and the consumer,” a senior FCC official told reporters Thursday.
An internet service provider can see virtually all websites and apps a user visits. This gives those providers a “unique vantage point” that makes that data sensitive, the official added.
In pushing back on the rule, broadband providers and Republicans have argued that any differentiation from the FTC’s approach would lead to confusion for businesses.
Privacy advocates such as Sen. Ed Markey heralded the new rules. “Every click an American makes online paints a detailed picture of their personal and professional lives, and this sensitive information should be protected by strong broadband privacy standards,” the Massachusetts Democrat said in a Thursday statement.
The consumer advocacy group Public Knowledge also gave its support of the rules. The Open Technology Institute urged for passage of the rules, saying they would keep “control of information widely considered to be private, such as browsing history and application usage, firmly in the hands of consumers, where it belongs.”
The Center of Democracy and Technology said the FCC’s new rules mark “real progress” in allowing consumers to take charge of their own privacy, but the group pushed for an even broader definition of sensitive data in the future.
“There are still important details to sort that could potentially weaken the proposed rules,” Chris Calabrese, vice president of policy at CDT, said in a Thursday statement. “The definition of ‘sensitive’ data must remain as broad as possible, and genuine controls need to be in place to avoid any re-identification of user data.”
The rules would also prohibit companies from refusing service to customers who don’t consent to the use and sharing of their personal information. They would require firms to disclose more information about “pay for privacy” programs in which broadband providers offer discounts or other incentives if a customer allows the company to the use their personal data. The FCC would examine those programs on a case-by-case basis to determine their legitimacy.
The rules would also obligate internet service providers to take “reasonable measures” to protect customer information from breaches, Wheeler wrote. “If a breach does occur, the rules would require ISPs to take appropriate steps to notify consumers that their data have been compromised.”
FTC Chairwoman Ramirez said she is “pleased” the FCC is “moving forward to protect the privacy of millions of broadband users across the country,” in a Thursday statement.
Ramirez added that she believes the FTC’s comments on the FCC proposal “has helped strengthen this important initiative.”